Amazon Web Services SAP-C02 Based on Real Exam Environment

The requirement is preventive enforcement during CloudFormation provisioning. AWS CloudFormation Hooks are designed to evaluate CloudFormation and Cloud Control API operations before resources are created or updated. If a resource is noncompliant, a Hook can fail the operation and prevent provisioning. Lambda Hooks allow custom logic, which fits predefined company-specific rules. Deploying and protecting Hooks centrally with StackSets, SCPs, and IAM policies gives consistent enforcement across the organization with low operational overhead. AWS Config custom rules are detective controls; they evaluate resources after deployment and cannot reliably prevent initial creation. CloudFormation macros require templates to explicitly use the macro and are not a universal enforcement layer. Manually invoking CloudFormation Guard through a Lambda function does not automatically block every CloudFormation deployment unless separately integrated.

Configuring AWS CloudTrail to log S3 data events will enable logging all activities for objects in the S3 bucket1. Data events are object-level API operations such as GetObject, DeleteObject, and PutObject1. Configuring Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic will enable sending email notifications every time there is an attempt to delete data in the S3 bucket2. EventBridge can route events from S3 to SNS, which can send emails to subscribers2. Configuring a new S3 bucket to store the logs with an S3 Lifecycle policy will enable keeping the logs for 5 years in a cost-effective way3. A lifecycle policy can transition the logs to a cheaper storage class such as Glacier or delete them after a specified period of time3.

This option will meet the requirements of preventing any new or existing EC2 instances in the OU’s accounts from gaining a public IP address. An SCP is a policy that you can attach to an OU or an account in AWS Organizations to define the maximum permissions for the entities in that OU or account. By creating an SCP that denies the ec2:RunInstances and ec2:AssociateAddress actions when the value of the aws:RequestTag/aws:PublicIp condition key is true, you can prevent any user or role in the OU from launching instances that have a public IP address or attaching a public IP address to existing instances. This will effectively enforce a security best practice and reduce the risk of unauthorized access to your EC2 instances.

The most effortless way to ensure that all new Amazon Elastic Block Store (EBS) volumes are encrypted at rest is to enable EBS encryption by default in all AWS Regions. This setting automatically encrypts all new EBS volumes and snapshots created in the account, thereby ensuring compliance with encryption policies without the need for manual intervention or additional monitoring.

AWS Documentation on Amazon EBS encryption provides guidance on enabling EBS encryption by default. This approach aligns with AWS best practices for data protection and compliance, ensuring that all new EBS volumes adhere to encryption requirements with minimal operational effort.